Windows Server 2008 & Windows 7 Security – What’s New?

Download Report

Transcript Windows Server 2008 & Windows 7 Security – What’s New? 

Brian Desmond
Moran Technology Consulting
www.morantechnology.com
www.briandesmond.com
About Me
Chicago based
 Active Directory & Exchange consultant
 MS MVP for Active Directory since 2003
 Author of Active Directory, 4th Ed from
O’Reilly

 You should own a copy!
e-mail: [email protected]
e-mail: [email protected]
website & blog: www.briandesmond.com
Agenda
Server Core
 Managed Service Accounts
 Read-Only Domain Controllers
 Fine Grained Password Policies
 Deleted Object Management

What is Server Core?

New Installation Option for W2K8
 Not a separate SKU, does not require separate
CALs

Security benefits
 Smaller installation footprint
 “Less friendly” UI leads to less “tinkering” in
branch office scenarios

Administering Server Core
 Only specific services/roles can be installed
 Limited GUI – but not totally gone!
 Remote administration can use any GUI tools
you’d like
Operational Concerns for Server Core

Application compatibility for Server Core
 Impact on anti-virus and other tools
 Windows Server 2008 R2 adds .NET
Administrative learning curve
 “Can I ‘upgrade’ a Server Core install to
a full installation?”

 No, requires full re-install of the OS
Agenda
Server Core
 Managed Service Accounts
 Read-Only Domain Controllers
 Fine Grained Password Policies
 Deleted Object Management

Read-Only Domain Controllers
Admin Role Separation
RODC Server Admins
needn’t be Domain
Admins
Prevents Branch
Admins from
accidentally causing
harm
Delegated promotion
1-Way Replication
No replication from
RODC to Full-DC
Change on RODC
does not propagate
to the entire
enterprise
Secrets not cached by-default
Branch Office
Policy to configure caching branch specific
secrets on RODC
Policy to configure custom schema attributes
as secrets
Active Directory – No RODCs
Branch Office
Branch Office
Hub Site
Branch Office
Branch Office
Domain Controller Secret Security
Branch Office
Branch Office
Hub Site
Branch Office
Branch Office
Domain-wide Password Reset!
Active Directory –RODCs
Branch RODC
Branch RODC
Hub Site
(RWDC)
Branch RODC
Branch RODC
RODC Secret Security
Branch RODC
Branch RODC
Hub Site
(RWDC)
Branch RODC
Just a few Password Resets
Branch RODC
Password Replication Policy
Defines what secrets are cached on the RODC
 Stored on a per RODC basis

 Authenticated To List
 Cached Passwords List
 Caching Allowed List
 Caching Denied List

Cached passwords are removed when they
expire or are changed
Agenda
Server Core
 Managed Service Accounts
 Read-Only Domain Controllers
 Fine Grained Password Policies
 Deleted Object Management

Fine Grained Password Policies
Limitless password and lockout policies
per domain
 Linked to directly to users or via groups

 No OU based linking!

Create with ADSIEdit – no FGPP GUI
 Windows 7 adds PowerShell cmdlets
 3rd Party tools available
FGPP Management Tools
SpecOps Password Policy Basic - http://www.specopssoft.com
Agenda
Server Core
 Read-Only Domain Controllers
 Fine Grained Password Policies
 Managed Service Accounts
 Deleted Object Management

Service Accounts Today
Huge Security Hole
 Passwords never changed
 Nobody knows who knows the password
 Every service using the account is often
unknown

Managed Service Accounts
Windows Server 2008 R2 feature
 Service account password managed by
server automatically
 One-to-one service account to machine
relationship

Agenda
Server Core
 Read-Only Domain Controllers
 Fine Grained Password Policies
 Managed Service Accounts
 Deleted Object Management

Accidental Deletion Protection
Checkbox in Windows
Server 2008
administrative tools
Adds an ACL to the
object preventing
Delete for Everyone
Recycle Bin Object Lifecycle
180 Days
Live Object
Tombstone Object
Garbage collection
Returns Tombstones
Windows Server 2008
LDAP OID 1.2.840.113556.1.4.417
Windows Server 2008 R2 w/ Recycle Bin
(If not enabled, behavior is similar to Windows Server 2008)
Returns Deleted
LDAP OID 1.2.840.113556.1.4.2064
Returns Deleted and Recycled
Live Object
Deleted Object
180 Days
Recycled Object
180 Days
Garbage collection
Active Directory,
th
4
Best selling Active Directory title


What’s New?
Windows Server 2008 coverage:
 Read Only Domain Controllers




(RODCs)
Fine Grained Password Policies
(FGPPs)
Auditing and security improvements
Windows Server 2008 upgrade
procedure
DNS enhancements (such as
GlobalName zones)
Exchange 2007 integration &
scripting
 Windows PowerShell & Active
Directory.NET Active Directory
programming
 New user interface features
 Lots of new diagrams and figures

Learn More! www.briandesmond.com/ad4/
Ed
LLTS Tracking Screenshot
Owner Access Restriction

Separates Owner
access from Creator
access
 Remember
CREATOR OWNER?

Owners can modify
permissions by
default
 Use OWNER
RIGHTS to prevent
this
Active Directory Auditing
Pre Windows Server 2008 Active
Directory auditing was not very helpful
 New auditing introduces:

 Granularity
 Before and after data in audits
 Separate events for different types of
operations
Sample Audit Event